Question

How to fix Cloudflare 526 invalid SSL certificate

A 526 error means Cloudflare cannot validate the certificate served by your origin while strict TLS verification is active.

Common causes seen in production

1. Certificate hostname does not match your domain.
2. Certificate is expired or chain is incomplete.
3. Full (strict) is enabled but origin only serves self-signed cert not trusted by Cloudflare.
4. Origin serves wrong cert due to SNI or vhost mismatch.

Command checklist

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts </dev/null | head -n 80
curl -Iv --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/
sudo ss -lntp | grep :443

Recovery order

Fix certificate correctness first, then re-test in strict mode. Do not mask a cert issue by changing many unrelated Cloudflare settings.

Generate origin TLS checklist